Process for group-based cryptographic code management between a first computer unit and group computer units

ABSTRACT

A group-based cryptographic code management method is proposed, in which a security policy which is used in a further communication is negotiated between group computer units and a first computer unit.

This application commences this National Stage of PCT/DE97/01001 filedMay 16, 1997.

BACKGROUND OF THE INVENTION

During communication with a plurality of communication subscribers, itis necessary in many technical areas to use cryptographic methods toprotect all the communications of all the subscribers against any formof misuse. In this case, the complexity which is required forcryptographic protection of all the communications is dependent on therespective application. Thus, for example, in private conversations itis under some circumstances not of major importance for all thecryptographically possible security measures to be used to protect thecommunication. However, in the case of communication with highlyconfidential contents, for example, very strict protection of thecommunication is of considerable importance.

The choice of security services, security mechanisms, securityalgorithms and security parameters used for communication protection iscalled the security policy, which is complied with during communicationbetween communication partners.

However, since the security requirement and, linked to it, the securitypolicy differ from communication session to communication session andfrom application to application, and since not all the communicationsubscribers actually have all the cryptographic methods available tothem, it is possible when communication partners change frequently forserious discrepancies to arise in the required or possible securitypolicy which is supported by the respective computer unit of thecommunication partner and can thus be ensured.

It is necessary for a standard security policy to be defined for therespective communication in every communication session within the grouptaking part in the communication session. Above all, it is necessary toprovide a binding definition of a so-called group code, which isunambiguous for the entire group.

A summary of the cryptographic methods which can generally be used andcan be used in the method can be found, for example, in Document S.Muftic, Sicherheits-mechanismen fur Rechnernetze, (Security mechanismsfor computer networks), Karl Hansa Verlag Muenchen, ISBN 3-446-16272-0,(1992), pages 34-70.

It is known for two communication partners to negotiate a securitypolicy, the negotiation which is described in this document beinglimited, however, only to a few parameters that are defined in advancesee document, E. Kipp et al, The SSL Protocol, Internet Draft, availablein June 1995 on the Internet from the following address:gopher://ds.internic.net:70/00/internet-drafts/draft-hickman-netscape-ssl-01.txt.

SUMMARY OF THE INVENTION

The invention is thus based on the problem of carrying out group-basedcryptographic code management between a first computer unit and anyrequired number of other group computer units, the negotiation not beinglimited to specific parameters.

A first message is formed by a first computer unit and is in each casetransmitted to at least some of the group computer units. The firstmessage contains at least a first security policy proposal and a firstidentity checking variable. The first security policy proposal isverified in the group computer units using the first identity checkingvariable, and second security policy proposals are formed, in each caseindependently of one another, in the group computer units. This meansthat a specific second security policy proposal is formed in each groupcomputer unit and is transmitted, in each case in a second message, tothe first computer unit. The first computer unit receives the individualsecond security policy proposals, and a third message is formed and istransmitted to the group computer units. The group computer units usethe third identity checking variable, which is contained in the thirdmessage, to check the integrity of the group security policy transmittedin said third message.

With this method, a group-based method is for the first time proposedfor crytographic code management, by means of which it is possible tonegotiate a security policy between the first computer unit and furthercomputer units, the group computer units.

In the case of this method, the first computer unit advantageouslydetermines which further group computer units are intended to take partin a subsequent communication using the method. This clearly means thatthe group computer units are "invited" by the first computer unit.

Furthermore, a considerable advantage of this method is that only thecode certificate of the specific computer unit need be known in eachcase in the group computer units. The code certificates of the othergroup computer units are not important for the respective group computerunit. This characteristic of the method saves considerable complexity incode administration in the respective group computer unit, for the codesof the respective other group computer units.

The encryption of the first message and/or of the third message using apublic code of the respective group computer unit to which the messagesare in each case sent and decryption of the respective messages in therespective group computer unit allow confidentiality of the transmittedmessages and thus of the negotiated security policy proposals andsecurity policy. This development of the method considerably improvesthe cryptographic security of the method.

Furthermore, in one development, it is advantageous for the messages tocontain in addition a random number, which random numbers are in eachcase produced either by the first computer unit or the respective groupcomputer unit. The random numbers allow reinjection of messages whichhave been monitored in an authorized manner to be detected. Furthermore,the random numbers can be used for mutual authentication of the firstcomputer unit and the group computer units.

Furthermore, it is advantageous in a development of the method for thefirst message to have a code certificate of the first computer unit.This development allows trustworthy authentication of the first computerunit with respect to the group computer units. This development furtherenhances the cryptographic security of the method.

In a development of the method, it is advantageous, before transmissionof the first message, for a first authentication message to be formed inthe first computer unit and to be transmitted to the group computerunits. The first authentication message in this case contains at leastone code certificate of the first computer unit, which code certificateis verified and stored in the group computer units. This developmentresults in a further improvement in the cryptographic security achievedby the method.

It is furthermore advantageous, before the transmission of the firstmessage, for a second authentication message to be formed in each casein the group computer units and to be transmitted to the first computerunit. The second authentication messages each have at least thecorresponding code certificate of the respective group computer unitfrom which the respective second authentication message is sent. Thecode certificates are verified and likewise stored by the first computerunit. This procedure allows code certificates to be exchanged betweenthe group computer units and the first computer unit, particularly whenthis development is combined with the development of the method in whicha first authentication message is transmitted from the first computerunit to the group computer units. Furthermore, this development improvesthe cryptographic security and the code administration can be carriedout quickly since, in the case of this development, the individualcomputer units in each case subsequently have the code certificate andthus the public code of the respective communication partner.

In order further to improve the cryptographic security of the method,one development provides for the second-authentication message to havean authentication identity checking variable, which can be used in thefirst computer unit, to check the integrity of the second authenticationmessage. It is furthermore advantageous for at least some of the secondauthentication messages in each case to be encrypted using a public codeof the first computer unit. This development once again enhances thecryptographic security of the method.

In one development, it is also advantageous, after checking theintegrity of the group security policy, for the group computer units ineach case to form an acknowledgement message and to transmit thismessage to the first computer unit, as a result of which the firstcomputer unit receives a report that the group security policy has beenreceived and processed.

The development of the method in which at least one of the followingidentity checking variables is formed using a hash function considerablyimproves the feasibility of carrying out the method in the respectivecomputer unit since a hash function, based on asymmetric cryptographicmethods, requires considerably less computation complexity than, forexample, a digital signature. The identity checking variables, which canbe formed, for example, using a hash function, are, for example: thefirst identity checking variable, the second identity checking variable,the third identity checking variable and the authentication identitychecking variable.

In a development, the method can also be subjected to a number ofiterations, i.e. the negotiation of the security policy described in thefollowing text can be carried out via a number of steps bilaterallybetween the first computer unit and a group computer unit, or for anyrequired number of group computer units. This procedure can considerablyenhance the granularity of the negotiation of the security policy to beused, and the efficiency and reliability of the security policy used arethus optimized.

BRIEF DESCRIPTION OF THE DRAWINGS

The features of the present invention which are believed to be novel,are set forth with particularity in the appended claims. The invention,together with further objects and advantages, may best be understood byreference to the following description taken in conjunction with theaccompanying drawings, in the several Figures of which like referencenumerals identify like elements, and in which:

FIG. 1 shows a sketch which illustrates a first computer unit and groupcomputer units coupled to the first computer unit;

FIG. 2 shows a flowchart, in which the method steps of the method areillustrated,

FIG. 3 shows a flowchart, in which a development of the method usingadditional authentication messages is illustrated;

FIG. 4 shows a flowchart, in which the method is illustrated withoutauthentication messages with a number of developments of the method;

FIG. 5 shows a flowchart, in which the method is illustrated with theauthentication messages and a number of developments of the method.

DESCRIPTION OF THE PREFERRED EMBODIMENTS

A summary of the cryptographic methods which can be used generally andcan be used in the method can be found, for example, in Document, E.Kipp et al, The SSL Protocol, Internet Draft, available in June 1995 onthe Internet from the following address:gopher://ds.internic.net:70/00/internet-drafts/draft-hickman-netscape-ssl-01.txt.Further cryptographic methods are known, without limitation of theirspecific characteristics, to the person skilled in the art and can beused independently of their cryptographic characteristics, withoutfurther limitations on the method.

FIG. 1 shows a first computer unit C1, which is coupled via any requiredcouplings K to any required number m of group computer units Rj. Theindex j uniquely identifies each group computer unit Rj. The index j isa natural number between 1 and the number m of group computer units Rj.

For the method, all that is necessary is for the group computer units Rjto be coupled to the first computer unit C1. The group computer units Rjneed not be connected to one another.

It is also unnecessary for the group computer units Rj to exchangemessages with one another. This leads to a considerable saving incomputation time in the group computer units Rj since in this method,each group computer unit Rj knows only one code certificate CERTI, whichis described below, of the first computer unit C1 and/or one public codePK₋₋ I which is trustworthy for other reasons. Further cryptographiccodes of other-group computer units Rj do not need to be stored andmanaged in the individual group computer units Rj in this method.

FIG. 2 shows the individual method steps of the method in a flowchart. Afirst message N1 is formed in the first computer unit in a first step201. The first message has at least a first security policy proposal SPIand a first identity checking variable SIG{SPI}.

The first security policy proposal SPI contains any required securityservices, security mechanisms and security algorithms, as well assecurity parameters within the security algorithms.

The security services, security mechanisms, security algorithms andsecurity parameters are independent of the security policy followed bythe first computer unit C1 and of the security policy applied to thecommunication.

A specific choice, planned for the respective communication, of thesecurity services, security mechanisms, security algorithms and securityparameters is transmitted as a first security policy proposal SPI in thefirst message N1, in a second step 202, from the first computer unit C1to at least some of the group computer units Rj.

As can be seen, this transmission 202 of the first message N1 means thatthe group computer units Rj are "invited" by the first computer unit C1to join the subsequent group communication. Together with the"invitation", the planned security policy is reported to the groupcomputer units Rj, by the first security policy proposal SPI.

Furthermore, the first message N1 has a first identity checking variableSIG{SPI}. The first identity checking variable SIG{SPI}, which is formedat least via the first security policy proposal SPI, ensures that theidentity of the first security proposal SPI is obtained for thetransmission 202 for the receiver, that is to say for the respectivegroup computer unit Rj.

The principle of the digital signature, as is described in Document [2],or else any required hash function can be used, for example, to form theidentity checking variables used in this method. The term hash functionin this case means a function in which it is not possible to calculate amatching input value for a given function value. Furthermore, an inputcharacter sequence of any required length is assigned an outputcharacter sequence of fixed length. Furthermore, the hash functionrequires collision freedom in this context, that is to say it must beimpossible to find two different input character sequences which producethe same output character sequence.

Once the respective group computer unit Rj has received the firstmessage N1 203, the first identity checking variable SIG{SPI} is used tocheck the identity of the first security policy proposal SPI 204.

If the identity remains proven, that is to say no transmission error hasoccurred, then each of the "invited" group computer units Rj forms asecond message N2 205. The second message N2 in each case contains asecond security policy proposal SPRj, which is specific to therespective group computer unit Rj and is formed by the respective groupcomputer unit Rj.

The second security policy proposal SPRj may consist, for example, onlyof a confirmation of the first security policy proposal SPI or else of aselection of security services, security mechanisms, security algorithmsand security parameters which is specific to the respective groupcomputer unit Rj, and which are intended to be supported by therespective group computer unit Rj and used for the future communicationsession from the point of view of the respective group computer unit Rj.

A second identity checking variable SIG{SPRj} is furthermore in eachcase formed for the second security policy proposal SPRj. The secondidentity checking variable SIG{SPRj} is likewise contained in the secondmessage N2.

The second message N2 is in each case transmitted from the groupcomputer unit Rj to the first computer unit C1 206.

Once the second message N2 has in each case been received by the firstcomputer unit 207, a check is carried out for the respectively receivedsecond message N2 to determine whether the identity of the respectivesecond security policy proposal SPRj is still obtained for thetransmission 206 to the first computer unit C1 208. The integrity of thedata can be checked, for example, using a digital signature, in whichthe respective secret code of the sender SK₋₋ I, SK₋₋ Rj is used forcoding, the public code of the sender PK₋₋ I, PK₋₋ Rj being used in eachcase. However, if a hash function is used to ensure integrity, then onlythe data to be checked are subjected to the hash function while theintegrity is in each case checked in the receiver, and the result iscompared with the respective identity checking variable.

Once the first computer unit C1 has received and checked all the secondmessages N2, or a predeterminable proportion of the second messages N2,then a third message N3 is formed in the first computer unit C1 209.

The third message N3 contains at least one group security policy SPGwhich states which security policy is actually now intended to be usedfor the subsequent communication.

The group security policy SPG can be formed automatically, for exampletaking account of the second security policy proposals SPRj of the groupcomputer units Rj, or it can alternatively be defined by a user of thefirst computer unit C1.

The user-based definition of the group security policy SPG in the firstcomputer unit C1 is based on the user "manually" selecting the actuallyused security services, security mechanisms, security algorithms andsecurity parameters. This may, but need not, be done taking account ofthe second security policy proposals SPRj.

A development of the method provides for the group security policy SPGto have a common group conference code K_(C) which is used in thesubsequent communication for encryption of the wanted data. The groupsecurity policy SPG can furthermore include a group distribution codeK_(D) with which subsequent group conference codes K_(C), which are usedfor encryption of the wanted data in the subsequent communicationitself, are distributed from the first computer unit C1 to the groupcomputer units Rj in encrypted form.

Furthermore, the group security policy SPG has the security services,security mechanisms, security algorithms and security parameters whichare actually chosen for the further communication, that is to say thesecurity policy that is actually followed.

Thus, both the group security policy SPG and the group conference codeK_(C) or the group distribution code K_(D) can be transmittedconfidentially and in a binding manner to the group computer units Rj.

The group conference code K_(C) and the group distribution code K_(D)may be either a symmetric code or an asymmetric code.

Furthermore, the third message N3 has a third identity checking variableSIG{SPG}.

The third message N3 is transmitted from the first computer unit C1 tothe group computer units Rj 210. The group computer units Rj receive thethird messages N3 211, and the third identity checking variable SIG{SPG}is used to check the integrity of the third message N3.

In this way, a security policy SPG which is used in the rest of themethod is reported to the group computer units Rj, that is to say to theother subscribers to the subsequent communication, it being possible totake account of proposals or requests from the group computer units Rjwith respect to the security policy to be used.

A development of the method provides not only an iteration, that is tosay a negotiation phase for the security policy proposals SPI, SPRj,SPG, but multiple communication between the first computer unit C1 andthe group computer units Rj. The other messages Nn used in this case andtheir identity checking variables result from the basic processdescribed above. This development ensures increased granularity in thenegotiation of the finally used security policy, and thus betteroptimization of the security services, security mechanisms, securityalgorithms and security parameters to be used.

Various developments of the method envisage improvement of thecryptographic security of the method.

In this case, one development provides for the first message N1 and/orthe third message N3 in each case to be encrypted using a public codePK₋₋ Rj of the respective group computer unit Rj, and for the firstmessage N1 and/or the third message N3 to be decrypted in the respectivegroup computer unit Rj using a secret code SK₋₋ Rj of the respectivegroup computer unit Rj. In this way, the confidentiality of the firstmessage N1 and of the third message N3 are ensured during thetransmission 202, 206.

Further cryptographic actions, for example the reinjection ofintercepted or monitored data, are taken into account by the use ofrandom numbers NI, NRj in the messages N1, N2, N3 and in authenticationmessages AN1, AN2 which are described below. If a first random number NIis formed in the first computer unit C1, and the first random number N1is transmitted, for example, in the first message N1 or in a firstauthentication message AN1, which is described below, to the respectivegroup computer units Rj, then the first random number NI can also beused for authentication of the respective group computer unit Rj withrespect to the first computer unit C1, particularly in the case when thefirst random number NI is transmitted in encrypted form in the firstmessage N1 or the first authentication message AN1. The authenticationis in this case carried out, for example, by the first random number NIfrom the respective group computer unit Rj being added to the secondmessage N2 or the second authentication message AN2, and the secondmessage N2 or the second authentication message AN2, respectively, beingtransmitted in encrypted form to the first computer unit C1. Thisensures for the first computer unit C1 that the respective message canhave been sent only from a group computer unit Rj.

This authentication effect can, however, also be achieved by usingasymmetric encryption methods in that, for example, the second messageN2 or the second authentication message AN2 is in each case encryptedusing a secret code SK₋₋ I, SK₋₋ Rj of the respective sender, and therespective message being decrypted in the receiver using a public codePK₋₋ I, PK₋₋ Rj of the sender. In this way, the receiver is assured thatthe sender has also actually sent the respective message.

Furthermore, it is also provided for second random variables NRj, whichnaturally differ from one another between the individual group computerunits Rj, to be formed independently of one another in the groupcomputer units Rj, and to be added to the individual messages.

The individual random numbers are in each case stored by the receiverand can be reused in other messages, for example for authentication.

The messages in which the random numbers NI, NRj can be used, forexample, in the method are described below with reference to FIG. 4.

In FIG. 3, the method described in FIG. 2 is provided with a developmentin which a first authentication message AN1 is formed by the firstcomputer unit C1 at the start of the method 301, and is in each casetransmitted to the respective group computer unit 302. The firstauthentication message AN1 contains at least one code certificate CERTIof the first computer unit C1.

After receipt 303 of the first authentication message AN1 andverification 304 of the code certificate CERTI of the first computerunit C1, a second authentication message AN2 is formed in each groupcomputer unit Rj, and is in each case transmitted from the groupcomputer unit Rj to the first computer unit C1 306.

In this development, the second authentication message AN2 contains atleast in each case one code certificate CERTRj of the respective groupcomputer unit Rj.

This procedure results, after the method has been carried out, in boththe group computer units Rj and the first computer unit C1 each havingthe trustworthy public code PK₋₋ I, PK₋₋ Rj of the respectivecommunication partner. The code certificates CERTI, CERTRj are stored inthe first computer unit C1 and the respective group computer unit Rj,respectively.

For further cryptographic protection of the method, one developmentprovides for the individual code certificates CERTI, CERTRj to beverified after they have respectively been received.

The second authentication message AN2 in one development furthermore hasan authentication identity checking variable SIG{NRj, NI}. Theauthentication identity checking variable SIG{NRj, NI} is in turn usedto ensure the identity of the authentication message AN2, which issecond in this case.

Furthermore, in a development, at least a part of the secondauthentication message AN2 is encrypted using a public code PK₋₋ I ofthe first computer unit C1, which ensures confidentiality for therespective part of the second authentication message AN2.

FIG. 4 shows the method with a number of developments. Although they areillustrated together in a figure, the developments are in no wayenvisaged only in the complete overall combination of the developments,but in each case only in individual extensions or any requiredcombination of developments.

For example, the first message N1 also has a list of addresses of thegroup computer units Rj, which list is called the group list GL below.Furthermore, the first message N1 has the code certificate CERTI of thefirst computer unit C1. In this development, the first random number NI,the first security policy proposal SPI and the first identity checkingvariable SIG{GL, NI, SPI} are encrypted using the public code PK₋₋ Rj ofthe respective group computer unit Rj. The first identity checkingvariable SIG{GL, NI, SPI} is in this example formed by a digitalsignature using the secret code SK₋₋ I of the first computer unit C1 viathe group list GL, the first random number NI and the first securitypolicy proposal SPI.

This development ensures that even the first message N1 ensures theauthentication of the first computer unit C1 with regard to therespective group computer unit Rj, the confidentiality of the firstsecurity policy proposal SPI, avoidance of the first message N1 beingreinjected, and the integrity of the group list GL, of the first randomnumber NI and of the first security policy proposal SPI.

Once the encrypted data have been decrypted using the secret code SK₋₋Rj of the respective group computer unit Rj, and the digital signature,that is to say the first identity checking variable SIG{GL, NI, SPI} hasthen been verified 204, the respective group computer unit Rj containsthe group list GL, the public code PK₋₋ I of the first computer unit C1,the first random number NI as well as the first security policy proposalSPI.

After the formation of the respective second security policy proposalSPIRj in the respective group computer unit Rj 205, the second messageN2 is formed and is transmitted to the first computer unit C1 206.

In this example with the developments, the second message N2 contains,for example, the following elements:

the second random number NRj,

the first random number NI,

identity statement I of the first computer unit C1,

the second security policy proposal SPRj,

a hash value h(NRj, NI, I, SPRj) which is formed via the variablesmentioned above and forms the second identity checking variableSIG{SPRj}.

In this development, the second message N2 is encrypted using the publiccode PK₋₋ I of the first computer unit C1.

The second message N2 is received by the first computer unit C1 207, andthe hash value h(NRj, NI, I, SPRj) of the second message N2, that is tosay the second identity checking variable SIG{SPRj} is checked 208, as aresult of which the integrity of the variables, via which the hash valueh(NRj, NI, I, SPRj) was formed, is ensured.

Once the first computer unit C1 has received 207 and evaluated a numberwhich can be predetermined, for example all or more than onepredeterminable limit of second messages N2 from the first computerunits C1, the third message N3 is formed 209 in the first computer unitC1 and is in each case transmitted, as a copy, to the individual groupcomputer units Rj.

In a development of the method, an improvement in efficiency is achievedby the method being carried out such that a so-called multicastmechanism for copying a message simultaneously to the group computerunits Rj is offered by a transport network which is used fortransmitting the data in the case of the method. The multicast mechanismcan be achieved, for example, either directly in the transport networkitself as a service, for example by means of a copying unit, for examplean ATM switch, or by corresponding multicast/broadcast addressing in thefirst computer unit C1 itself.

Depending on the addressee, that is to say depending on the groupcomputer unit Rj to which the third message N3 is transmitted, the thirdmessages N3 contain, for example, the following elements:

the second random number NRj, an identity statement Rj of the respectivegroup computer unit Rj,

the group security policy SPG as well as a hash value h(NRj, Rj, SPG)which is formed via the variables mentioned above and forms the thirdidentity checking variable SIG{SPRj}.

The first messages N1 and the third message N3 are in this developmentencrypted using the public codes PK₋₋ Rj of the respective groupcomputer unit Rj.

The third messages N3 are transmitted 210 to the respective groupcomputer units Rj and are received there 211, the third message N3 is ineach case decrypted using the secret code SK₋₋ Rj of the respectivegroup computer unit Rj, and the hash value h{NRj, Rj, SPG} is checked212.

Furthermore, a development is described in FIG. 4, in which theindividual group computer units Rj each transmit an acknowledgementmessage ACK to the first computer unit C1.

The acknowledgement messages ACK are formed in the group computer unitsRj. Depending on the group computer unit Rj which forms theacknowledgement message ACK, the acknowledgement messages ACK in thisdevelopment contain, for example, the following elements;

the identity statement Rj of the group computer unit Rj which is sendingthe acknowledgement message ACK,

as well as a hash value h(NRj, NI, I, SPG) which is formed at least viathe second random number NRj, the first random number NI, the identitystatement I of the first computer unit C1 and via the group securitypolicy SPG.

The acknowledgement message ACK is used by the respective group computerunit Rj to confirm to the first computer unit C1 that it has reliablyreceived the information about the group security policy SPG.

FIG. 5 shows a further development in which, rather than as ispresupposed in the development illustrated in FIG. 4, all thetrustworthy public codes PK₋₋ Rj of the group computer unit Rj areavailable in the first computer unit C1.

In this development, the public codes PK₋₋ Rj, PK₋₋ I of the computerunit C1, Rj are exchanged at the start of the method, mutualauthentication of the computer units C1, Rj being carried out at thesame time.

The first authentication message AN1, which is formed in the firstcomputer unit C1 and is transmitted to the group computer units Rj,contains, for example, the following elements:

the group list GL,

the first random number NI,

the code certificate CERTI of the first computer unit C1.

The code certificate CERTI is evaluated and verified by the respectivegroup computer unit Rj, and the first message N1 is stored with theelements of said certificate.

The second authentication message AN2, which is formed in the respectivegroup computer unit Rj and is transmitted to the first computer unit C1,in this development contains, for example, the following elements:

the second random number NRj,

the first random number NI,

the authentication identity checking variable SIG{NRJ, NI},

in each case one code certificate CERTRj of the respective groupcomputer unit Rj.

The elements of the second authentication message AN2 are all encrypted,up to the respective code certificate CERTRj of the respective groupcomputer unit Rj, using the public code PK₋₋ I of the first computerunit C1. This ensures the confidentiality of the random numbers NRj, NIas well as the signature via the random numbers, that is to say theauthentication identity checking variable SIG{NRJ, NI}.

The second authentication messages AN2 are received in the firstcomputer unit C1 and are encrypted using the secret code SK₋₋ I of thefirst computer unit C1.

The authentication identity checking variable SIG{NRJ, NI} is alsoverified.

After this, the first message N1 is formed 201 in the first computerunit Cl, and is transmitted 202 to the respective group computer unitRj.

The first message N1 contains, in each case independently of therespective group computer unit Rj to which the first message N1 is sent,the following elements, for example:

the respective second random number NRj which has been transmitted fromthe respective group computer unit Rj to the first computer unit C1,

the respective identity statement Rj of the group computer unit Rj,

the first security policy proposal SPI,

a hash value h(NRj, Rj, SPI) which has been formed at least via thesecond random number NRj, the identity variable NRj of the groupcomputer unit Rj and via the first security policy proposal SPI.

The hash value h(NRj, Rj, SPI) forms the first identity checkingvariable SIG{SPI}.

The first message N1 is transmitted 202 in encrypted form to therespective group computer unit Rj, the first message N1 in each casebeing encrypted using the public code PK₋₋ Rj of the respective groupcomputer unit Rj.

After receipt 203 of the encrypted first message N1, the first messageN1 is in each case decrypted in the group computer units Rj using therespective secret code SK₋₋ Rj of the respective group computer unit Rj,and the integrity of the first message N1 is verified 204 using the hashvalue h(NRj, Rj, SPI). Furthermore, the second message N2 is formed 205in the group computer units Rj, and is in each case transmitted to thefirst computer unit C1.

In this development, the second message N2 contains, for example, thefollowing elements:

the second random number NRj,

the first random number NI,

the identity statement I of the first computer unit C1,

the respective second security policy proposal SPRj,

a hash value h(NRj, NI, I, SPRj), which is formed at least via thesecond random number NRj, the first random number NI, the identitystatement I of the first computer unit C1 and the second security policyproposal SPRj.

The hash value h(NRj, NI, I, SPRj) forms the second identity checkingvariable SIG{SPRj}.

The second message N2 is in this development transmitted in encryptedform, the second message N2 in each case being encrypted using thepublic code PK₋₋ I of the first computer unit C1.

Once the respective second message N2 has been received 207 in the firstcomputer unit C1, the second message N2 is decrypted using the secretcode SK₋₋ I of the first computer unit C1, and the identity is ensuredby verification of the hash value h(NRj, NI, I, SPRj).

The group security policy SPG is then determined.

Furthermore, the third message N3 is formed 209 in the first computerunit C1 for each group unit Rj, which third messages N3 in each casediffer only by those elements which are specific to the respective groupcomputer unit Rj.

In this development, the third message N3 in each case contains, forexample, the following elements:

the respective second random number NRj,

the respective identity statement Rj of the group computer unit Rj,

the group security policy SPG,

a hash value h(NRj, Rj, SPG) which is formed at least via the secondrandom number NRj, the identity statement Rj of the group computer unitRj and the group security policy SPG.

The hash value h(NRj, Rj, SPG) forms the third identity checkingvariable SIG{SPG}.

The respective third message N3 is likewise transmitted 210 in encryptedform in this development. In this case, the third message N3 is in eachcase encrypted using the public code PK₋₋ Rj of the respective groupcomputer unit Rj.

Once the third message N3 has in each case been received 211 in thegroup computer unit Rj, the third message N3 is decrypted using therespective secret code SK₋₋ Rj of the group computer unit Rj, and thehash value h(NRj, Rj, SPG) is verified 212.

Furthermore, the acknowledgement message ACK is formed in the respectivegroup computer unit Rj and is transmitted to the first computer unit C1.

The acknowledgement message ACK in this example has the followingelements:

the identity statement Rj of the respective group computer unit Rj,

a hash value h(NRj, NI, I, SPG), which is formed at least via the secondrandom number NRj, the first random number NI, the identity variable Iof the first computer unit C1 and the group security policy SPG.

The method can be used both in so-called on-line code managementscenarios and in so-called off-line code management scenarios.

The developments illustrated in FIGS. 4 and 5 to this extent representan advantageous development since by means of this procedure it ispossible to keep to a minimum the number of digital signatures requiredto ensure the integrity of the transmitted data and to use hash valueswhose formation is less computer intensive, instead of the digitalsignatures whose formation is computer intensive.

In this case, at least the first identity checking variable SIG{SPI},the second identity checking variable h(SPRj) and the third identitychecking variable h(SPG) as well as the authentication identity checkingvariable SIG{NRJ, NI} can be formed in any required combination by theformation of hash values.

In FIGS. 4 and 5, the first identity checking variable SIG{SPI} isformed by the hash value h(NRj, Rj, SPI) or the digital signatureSIG{GL, NI, SPI}.

The second identity checking variable SIG{SPRj} is formed in the methodillustrated in FIG. 4 by the hash value h(NRj, NI, I, SPRj), and in themethod illustrated in FIG. 5 by the hash value h(NRj, NI, I, SPRj).

The respective third identity checking variable SIG{SPG} is in each caseformed by the hash value h(NRj, Rj, SPG) in the methods illustrated inFIGS. 4 and 5.

Furthermore, the authentication identity checking variable SIG{NRj, NI}is formed in the method illustrated in FIG. 4 by the digital signatureSIG{NRj, NI}, and in the method illustrated in FIG. 5 by the hash valueh(NRj, NI, I, SPRj).

A development of the method provides for the use of digital signaturesin the entire method, with any required identity checking variables. Theuse of digital signatures indirectly achieves binding and indisputabletransmission for the respective message via the identity checkingvariables, which have been formed using a digital signature. If digitalsignatures are formed for all the identity checking variables, thenbinding and indisputable, group-based code management is achieved with anegotiation phase for the security policy.

The invention is not limited to the particular details of the methoddepicted and other modifications and applications are contemplated.Certain other changes may be made in the above described method withoutdeparting from the true spirit and scope of the invention hereininvolved. It is intended, therefore, that the subject matter in theabove depiction shall be interpreted as illustrative and not in alimiting sense.

What is claimed is:
 1. A method for group-based declaration of acryptographic, common security policy between a first computer unit andgroup computer units, comprising the steps of:forming in the firstcomputer unit a first message; providing in the first message at least afirst security policy proposal and a first identity checking variable;transmitting the first message from the first computer unit to at leastsome of the group computer units; carrying out the following steps inthe group computer units; receiving the first message by a respectivegroup computer unit of the group computers; checking integrity of thefirst security policy proposal based on the first identity checkingvariable; forming a second message in each case, the second messagehaving at least a second security policy proposal and a second identitychecking variable; transmitting the second messages from the groupcomputer units to the first computer unit; receiving the second messagesby the first computer unit; checking integrity of each respective secondsecurity proposal using the corresponding second identity checkingvariable; forming a third message by the first computer unit; providingin the third message at least one group security policy and a thirdidentity checking variable; transmitting the third message from thefirst computer unit to at least some of the group computer units;carrying out the following steps in the group computer units; receivingthe third message by respective group computer units; and checking theintegrity of the group security policy using the third identity checkingvariable.
 2. The method according to claim 1,wherein at least one of thefirst message and the third message is in each case encrypted using apublic code of the group computer unit, and wherein at least one of thefirst message and the third message is decrypted in the group computerunit using a secret code of the respective group computer unit.
 3. Themethod according to claim 1,wherein each of the first, second and thirdmessages has at least one random number.
 4. The method according toclaim 1,wherein the first message has a code certificate of the firstcomputer unit.
 5. The method according to claim 1,wherein beforetransmission of the first message, a first authentication message isformed in the first computer unit, wherein the first authenticationmessage has at least one code certificate of the first computer unit,wherein the first authentication message has at least one codecertificate of the first computer unit, wherein the first authenticationmessage is transmitted from the first computer unit to at least some ofthe group computer units, and wherein the group computer units verifyand store the code certificate of the first computer unit.
 6. The methodaccording to claim 1,wherein before transmission of the first messageand in at least some of the group computer units, a secondauthentication message is in each case formed in the group computerunits, wherein the second authentication messages in each case have atleast code certificates of the group computer units, wherein the secondauthentication messages are transmitted from the group computer units tothe first computer unit, and wherein the first computer unit verifiesand stores the code certificates of the group computer units.
 7. Themethod according to claim 6,wherein each of the first, second and thirdmessage has at least one random number, wherein the secondauthentication messages have an authentication identity checkingvariable, and wherein at least some of the second authenticationmessages are encrypted using a public code of the first computer unit.8. The method according to claim 1,wherein, after checking the integrityof the group security policy, each of the group computer units forms anacknowledgment message, wherein the acknowledgment messages aretransmitted from the group computer units to the first computer unit,and wherein the acknowledgment messages are checked for integrity, inthe first computer unit.
 9. The method according to claim 1,wherein atleast one of the following identity checking variables is formed using ahash function:the first identity checking variable, the second identitychecking variable, the third identity checking variable, theauthentication identity check variable.
 10. The method according toclaim 1,wherein the group security policy contains at least one groupdistribution code for encryption and distribution of group conferencecodes which continue to be used, or of a group conference code.
 11. Themethod according to claim 1,wherein a plurality of further messageshaving further security policy proposals are formed and transmitted bythe first computer unit and by the group computer units.
 12. The methodaccording to claim 1,wherein a multicast mechanism is provided forcopying messages to be transmitted.
 13. The method according to claim1,wherein at least some of the identity checking variables are formedusing a digital signature.